UNIT – 5
RISK MANAGEMENT
TOPICS:
➢ Risk Types,
➢ Estimation & Planning,
➢ Software Quality – McCall Quality Factors,
➢ Six Sigma for Software Quality,
➢ Quality Assurance, and its Techniques.
What is RISK???
➢ "Tomorrow problems are today's risk." Hence, a clear definition of a "risk" is a problem
that could cause some loss or threaten the progress of the project, but which has not
happened yet.
➢ These potential issues might harm cost, schedule or technical success of the project and the
quality of our software device, or project team morale.
➢ Risk Management is the system of identifying addressing and eliminating these problems
before they can damage the project.
➢ We need to differentiate risks, as potential issues, from the current problems of the project.
➢ Different methods are required to address these two kinds of issues.
✓ For example, staff storage, because we have not been able to select people with the
right technical skills is a current problem, but the threat of our technical persons
being hired away by the competition is a risk.
RISK MANAGEMENT:
➢ A software project can be concerned with a large variety of risks. In order to be adept to
systematically identify the significant risks which might affect a software project, it is
essential to classify risks into different classes. The project manager can then check which
risks from each class are relevant to the project.
➢ There are three main classifications of risks which can affect a software project:
1. Project risks
2. Technical risks
3. Business risks
1
�1. Project Risks: Project risks concern differ forms of budgetary, schedule, personnel,
resource, and customer-related problems. A vital project risk is schedule slippage. Since
the software is intangible, it is very tough to monitor and control a software project. It is
very tough to control something which cannot be identified. For any manufacturing
program, such as the manufacturing of cars, the plan executive can recognize the product
taking shape.
2. Technical Risks: Technical risks concern potential method, implementation, interfacing,
testing, and maintenance issue. It also consists of an ambiguous specification, incomplete
specification, changing specification, technical uncertainty, and technical obsolescence.
Most technical risks appear due to the development team's insufficient knowledge about
the project.
3. Business Risks: This type of risks contain risks of building an excellent product that no
one need, losing budgetary or personnel commitments, etc.
4. Other Risk Categories:
a. Known risks: Those risks that can be uncovered after careful assessment of the project
program, the business and technical environment in which the plan is being developed,
and more reliable data sources (e.g., unrealistic delivery date)
b. Predictable risks: Those risks that are hypothesized from previous project experience
(e.g., past turnover)
c. Unpredictable risks: Those risks that can and do occur, but are extremely tough to
identify in advance.
PRNCIPLE of RISK MANAGEMENT:
1. Global Perspective: In this, we review the bigger system description, design, and
implementation. We look at the chance and the impact the risk is going to have.
2. Take a forward-looking view: Consider the threat which may appear in the future and
create future plans for directing the next events.
3. Open Communication: This is to allow the free flow of communications between the
client and the team members so that they have certainty about the risks.
4. Integrated management: In this method risk management is made an integral part of
project management.
5. Continuous process: In this phase, the risks are tracked continuously throughout the risk
management paradigm.
2
�RISK MANAGEMENT ACTIVITIES: / RISK ESTIMATION:
➢ The Risk Management of “3” main activities, as shown in below figure:
1. RISK ASSESSMENT:
➢ The objective of risk assessment is to division the risks in the condition of their loss, causing
potential. For risk assessment, first, every risk should be rated in two methods:
➢ The possibility of a risk coming true (denoted as r).
➢ The consequence of the issues relates to that risk (denoted as s).
➢ Based on these two methods, the priority of each risk can be estimated:
p=r*s
➢ Where ‘p’ is the priority with which the risk must be controlled, ‘r’ is the probability of the
risk becoming true, and ‘s’ is the severity of loss caused due to the risk becoming true. If
all identified risks are set up, then the most likely and damaging risks can be controlled
first, and more comprehensive risk abatement methods can be designed for these risks.
1. RISK IDENTIFICATION:
➢ The project organizer needs to anticipate the risk in the project as early as possible so
that the impact of risk can be reduced by making effective risk management planning.
➢ A project can be of use by a large variety of risk. To identify the significant risk, this
might affect a project. It is necessary to categories into the different risk of classes.
➢ There are different types of risks which can affect a software project:
3
� a. TECHNOLOGY RISKS: Risks that assume from the software or hardware
technologies that are used to develop the system.
b. PEOPLE RISKS: Risks that are connected with the person in the development team.
c. ORGANIZATIONAL RISKS: Risks that assume from the organizational environment
where the software is being developed.
d. TOOLS RISKS: Risks that assume from the software tools and other support software
used to create the system.
e. REQUIREMENT RISKS: Risks that assume from the changes to the customer
requirement and the process of managing the requirements change.
f. ESTIMATION RISKS: Risks that assume from the management estimates of the
resources required to build the system.
2. RISK ANALYSIS:
➢ During the risk analysis process, you have to consider every identified risk and make a
perception of the probability and seriousness of that risk.
➢ There is no simple way to do this. You have to rely on your perception and experience
of previous projects and the problems that arise in them.
➢ It is not possible to make an exact, the numerical estimate of the probability and
seriousness of each risk. Instead, you should authorize the risk to one of several bands:
✓ The probability of the risk might be determined as very low (0-10%), low (10-25%),
moderate (25-50%), high (50-75%) or very high (+75%).
✓ The effect of the risk might be determined as catastrophic (threaten the survival of
the plan), serious (would cause significant delays), tolerable (delays are within
allowed contingency), or insignificant.
2. RISK CONTROL:
➢ It is the process of managing risks to achieve desired outcomes. After all, the identified
risks of a plan are determined; the project must be made to include the most harmful and
the most likely risks. Different risks need different containment methods. In fact, most risks
need ingenuity on the part of the project manager in tackling the risk.
➢ There are “3” main methods to plan for Risk Management They are:
1. Avoid the risk: This may take several ways such as discussing with the client to change
the requirements to decrease the scope of the work, giving incentives to the engineers
to avoid the risk of human resources turnover, etc.
4
� 2. Transfer the risk: This method involves getting the risky element developed by a third
party, buying insurance cover, etc.
3. Risk reduction: This means planning method to include the loss due to risk. For
instance, if there is a risk that some key personnel might leave, new recruitment can be
planned.
3. RISK LEVERAGE:
➢ To choose between the various methods of handling risk, the project plan must consider
the amount of controlling the risk and the corresponding reduction of risk. For this, the risk
leverage of the various risks can be estimated.
➢ Risk leverage is the variation in risk exposure divided by the amount of reducing the risk.
Risk Leverage = [(risk exposure before reduction - risk exposure after
reduction)] / (cost of reduction)
4. RISK PLANNING:
➢ The risk planning method considers each of the key risks that have been identified and
develop ways to maintain these risks.
➢ For each of the risks, you have to think of the behavior that you may take to minimize the
disruption to the plan if the issue identified in the risk occurs.
➢ You also should think about data that you might need to collect while monitoring the plan
so that issues can be anticipated.
➢ Again, there is no easy process that can be followed for contingency planning. It rely on
the judgment and experience of the project manager.
5. RISK MONITORING:
➢ Risk monitoring is the method king that your assumption about the product, process, and
business risks has not changed.
SE Assignment 5
1. With a neat sketch explain classification of software quality factors?
2. (A). What is risk? Explain different types of software risks?
(B). Point out the required principles for risk management?
3. Explain IS0 9000 Certification process? Explain its Advantages and disadvantages?
4. What is Six Sigma? Explain how it will improve the quality of software?
5
�SOFTWARE QUALITY:
➢ Software Quality Product is defined in term of its fitness of purpose. That is, a quality
product does precisely what the users want it to do. For software products, the fitness of
use is generally explained in terms of satisfaction of the requirements laid down in the SRS
document. Although "fitness of purpose" is a satisfactory interpretation of quality for many
devices such as a car, a table fan, a grinding machine, etc. For software products, "fitness
of purpose" is not a wholly satisfactory definition of quality.
➢ Example: Consider a functionally correct software product. That is, it performs all tasks
as specified in the SRS document. But, has an almost unusable user interface. Even though
it may be functionally right, we cannot consider it to be a quality product.
➢ The modern view of a quality associated with a software product several quality methods
such as the following:
1. Portability: A software device is said to be portable, if it can be freely made to work
in various operating system environments, in multiple machines, with other software
products, etc.
2. Usability: A software product has better usability if various categories of users can
easily invoke the functions of the product.
3. Reusability: A software product has excellent reusability if different modules of the
product can quickly be reused to develop new products.
4. Correctness: A software product is correct if various requirements as specified in the
SRS document have been correctly implemented.
5. Maintainability: A software product is maintainable if bugs can be easily corrected as
and when they show up, new tasks can be easily added to the product, and the
functionalities of the product can be easily modified, etc.
SOFTWARE QUALITY MANAGEMENT SYSTEM:
➢ A Quality Management System is the principal methods used by organizations to provide
that the products they develop have the desired quality. A quality system subsists of the
following:
1. Managerial Structure and Individual Responsibilities:
✓ A quality system is the responsibility of the organization as a whole. However,
every organization has a sever quality department to perform various quality system
activities.
6
� ✓ The quality system of an arrangement should have the support of the top
management. Without help for the quality system at a high level in a company,
some members of staff will take the quality system seriously.
2. Quality System Activities: The quality system activities encompass the following:
✓ Auditing of projects
✓ Review of the quality system
✓ Development of standards, methods, and guidelines, etc.
✓ Production of documents for the top management summarizing the effectiveness of
the quality system in the organization.
EVOLUTION OF QUALITY MANAGEMENT SYSTEM:
➢ Quality Systems have increasingly evolved over the last five decades. Before World War
II, the usual function to produce quality products was to inspect the finished products to
remove defective devices. Since that time, quality systems of organizations have undergone
through four steps of evolution, as shown in the fig. The first product inspection task gave
method to quality control (QC).
➢ Quality control target not only on detecting the defective devices and removes them but
also on determining the causes behind the defects. Thus, quality control aims at correcting
the reasons for bugs and not just rejecting the products. The next breakthrough in quality
methods was the development of quality assurance methods.
7
�➢ The primary premise of modern quality assurance is that if an organization's processes are
proper and are followed rigorously, then the products are obligated to be of good quality.
The new quality functions include guidance for recognizing, defining, analyzing, and
improving the production process.
➢ Total quality management (TQM) advocates that the procedure followed by an organization
must be continuously improved through process measurements. TQM goes stages further
than quality assurance and aims at frequently process improvement. TQM goes beyond
documenting steps to optimizing them through a redesign. A term linked to TQM is
Business Process Reengineering (BPR).
➢ BPR aims at reengineering the method business is carried out in an organization. From the
above conversation, it can be stated that over the years, the quality paradigm has changed
from product assurance to process assurance, as shown in fig.
ISO 9000 CERTIFICATION:
➢ ISO (International Standards Organization) is a group or consortium of 63 countries
established to plan and fosters standardization. ISO declared its 9000 series of standards in
1987. It serves as a reference for the contract between independent parties. The ISO 9000
standard determines the guidelines for maintaining a quality system. The ISO standard
mainly addresses operational methods and organizational methods such as responsibilities,
reporting, etc. ISO 9000 defines a set of guidelines for the production process and is not
directly concerned about the product itself.
Types of ISO 9000 Quality Standards:
➢ The ISO 9000 series of standards is based on the assumption that if a proper stage is
followed for production, then good quality products are bound to follow automatically. The
types of industries to which the various ISO standards apply are as follows.
8
� 1. ISO 9001: This standard applies to the organizations engaged in design, development,
production, and servicing of goods. This is the standard that applies to most software
development organizations.
2. ISO 9002: This standard applies to those organizations which do not design products
but are only involved in the production. Examples of these category industries contain
steel and car manufacturing industries that buy the product and plants designs from
external sources and are engaged in only manufacturing those products. Therefore, ISO
9002 does not apply to software development organizations.
3. ISO 9003: This standard applies to organizations that are involved only in the
installation and testing of the products. For example, Gas companies.
How to get ISO 9000 Certification???
➢ An organization determines to obtain ISO 9000 certification applies to ISO registrar office
for registration. The process consists of the following stages:
1. Application: Once an organization decided to go for ISO certification, it applies to the
registrar for registration.
2. Pre-Assessment: During this stage, the registrar makes a rough assessment of the
organization.
9
�3. Document review and Adequacy of Audit: During this stage, the registrar reviews the
document submitted by the organization and suggest an improvement.
4. Compliance Audit: During this stage, the registrar checks whether the organization has
compiled the suggestion made by it during the review or not.
5. Registration: The Registrar awards the ISO certification after the successful completion
of all the phases.
6. Continued Inspection: The registrar continued to monitor the organization time by time.
ADVANTAGES OF ISO 9000:
➢ The advantages associated with ISO 9000 certification are numerous, as both business
analysts and business owners will attest. These benefits, which can impact nearly all corners
of a company, range from increased stature to bottom-line operational savings. They
include:
1. Increased marketability: Nearly all observers agree that ISO 9000 registration
provides businesses with markedly heightened credibility with current and prospective
clients alike. Basically, it proves that the company is dedicated to providing quality to
its customers, which is no small advantage whether the company is negotiating with a
long-time customer or endeavouring to pry a potentially lucrative customer away from
a competitor. This benefit manifests itself not only in increased customer retention, but
also in increased customer acquisition and heightened ability to enter into new markets;
indeed, ISO 9000 registration has been cited as being of particular value for small and
mid-sized businesses hoping to establish a presence in international markets.
2. Reduced operational expenses: Sometimes lost in the many discussions of ISO 9000's
public relations cache is the fact that the rigorous registration process often exposes
significant shortcomings in various operational areas. When these problems are brought
to light, the company can take the appropriate steps to improve its processes. These
improved efficiencies can help companies garner savings in both time and money. "The
cost of scrap, rework, returns, and the employee time spent analyzing and
troubleshooting various products are all considerably reduced by initiating the
discipline of ISO 9000, " confirmed Richard B. Wright in Industrial Distribution.
3. Better management control: The ISO 9000 registration process requires so much
documentation and self-assessment that many businesses that undergo its rigors cite
increased understanding of the company's overall direction and processes as a
significant benefit.
10
� 4. Increased customer satisfaction: Since the ISO 9000 certification process almost
inevitably uncovers areas in which final product quality can be improved, such efforts
often bring about higher levels of customer satisfaction. In addition, by seeking and
securing ISO 9000 certification, companies can provide their clients with the
opportunity to tout their suppliers' dedication to quality in their own business dealings.
5. Improved internal communication: The ISO 9000 certification process's emphasis
on self-analysis and operations management issues encourages various internal areas or
departments of companies to interact with one another in hopes of gaining a more
complete understanding of the needs and desires of their internal customers.
6. Improved customer service: The process of securing ISO 9000 registration often
serves to refocus company priorities on pleasing their customers in all respects,
including customer service areas. It also helps heighten awareness of quality issues
among employees.
7. Reduction of product-liability risks: Many business experts contend that companies
that achieve ISO 9000 certification are less likely to be hit with product liability
lawsuits, etc., because of the quality of their processes.
8. Attractiveness to investors: Business consultants and small business owners alike
agree that ISO-9000 certification can be a potent tool in securing funding from venture
capital firms.
DISADVANTAGES OF ISO 9000:
➢ Despite the many advantages associated with ISO 9000, however, business owners and
consultants caution companies to research the rigorous certification process before
committing resources to it. Following is a list of potential hurdles for entrepreneurs to study
before committing to an initiative to gain ISO 9000 certification:
1. Owners and managers do not have an adequate understanding of the ISO 9000
certification process or of the quality standards themselves: Some business owners
have been known to direct their company's resources toward ISO 9000 registration,
only to find that their incomplete understanding of the process and its requirements
results in wasted time and effort.
2. Funding for establishing the quality system is inadequate: Critics of ISO 9000
contend that achieving certification can be a very costly process, especially for smaller
firms. Indeed, according to a 1996 Quality Systems Update survey, the average cost of
11
� ISO certification for small firms (those registering less than $11 million in annual sales)
was $71, 000.
3. Heavy emphasis on documentation: The ISO 9000 certification process relies heavily
on documentation of internal operating procedures in many areas, and as Meyer stated,
"many say ISO's exacting documentation requirements gobble up time. Indeed, there
are horror stories about companies losing substantial business because a documentation
obsession redirected their priorities." According to Nation's Business, small business
owners need to find an appropriate balance between ISO documentation requirements,
which are admittedly "one is ISO 9000's hallmarks, " and attending to the fundamental
business of running a company: "Strike a balance among obsessively writing down
every employee's task, offering training for the work, and letting common sense dictate
how a task is to be performed."
4. Length of the process: Business executives and owners familiar with the ISO 9000
registration process warn that it is a process that takes many months to complete. The
1996 Quality Systems Update survey indicated that it took businesses an average of 15
months to move from the early stages of the process to passage of the final audit, and
that processes of 18-20 months or even longer were not that uncommon.
SOFTWARE QUALITY FACTORS:
➢ Software quality factors can be divided into three broad measures: operability,
maintainability, and transferability.
➢ Each of these measures can be further broken down as shown in below figure:
1. McCall (consist of 11 factors, 1977),
2. Deutsch and Willis (consist of 12 to 15 factors, 1988), and
3. Evans and Marciniak (1987).
McCALL SOFTWARE QUALITY MODEL FACTORS:
➢ McCall software quality model was introduced in 1977 .It is divided the software
requirements into “11” software quality factors.
➢ These are divided into three categories: Product operation, Product revision, and product
transition factors.
1. Product operation factors − Correctness, Reliability, Efficiency, Integrity, Usability.
2. Product revision factors − Maintainability, Flexibility, Testability.
3. Product transition factors − Portability, Reusability, Interoperability.
12
�➢ The definitions for these “11” McCall Software Quality Factors is given below:
1. Correctness – extent to which a program satisfies its specification and fulfills the
client’s objective.
2. Reliability – extent to which a program is supposed to perform its function with the
required precision.
3. Efficiency – amount of computing and code required by a program to perform its
function.
4. Integrity – extent to which access to software and data is denied to unauthorized users.
5. Usability – labor required to understand, operate, prepare input and interpret output of
a program.
6. Maintainability – effort required to locate and fix an error in a program.
7. Flexibility – effort needed to modify an operational program.
8. Testability – effort required to test the programs for their functionality.
9. Portability – effort required to run the program from one platform to other or to
different hardware.
10. Reusability – extent to which the program or it’s parts can be used as building blocks
or as prototypes for other programs.
11. Interoperability – effort required to couple one system to another.
SIX SIGMA:
13
